[Grml] How to verify daily snapshot downloads

Michael Prokop mika at grml.org
Wed Apr 19 15:32:17 CEST 2017


* Bernhard Reiter [Wed Apr 19, 2017 at 11:08:19AM +0200]:

> today I've taken a look at a daily image for grml.org
> and found no way to verify that the image I'm downloading actually is
> from your build machines.

> http://grml.org/daily/
> leads me to something like 
> http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/

> where there are no OpenPGP signatures available.
> and the https variant or the url does not show the files.

> This is a problem because a downloader like can be attacked by serving a 
> different iso file and the corresponding checksums. To prevent this attack 
> you could 
> a) also use https on the daily.grml.org server
> b) Use a new OpenPGP build-key without password, publish the pubkey on the 
> https mainsite and use the key in the automatic building process to generate 
> the detached signatures.

Good idea, I'll add this to our todo list.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://ml.grml.org/pipermail/grml/attachments/20170419/5fcb4b33/attachment.sig>

More information about the Grml mailing list